From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-il1-f198.google.com (mail-il1-f198.google.com [209.85.166.198]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 620B2FC0E for ; Wed, 18 Dec 2024 01:35:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.166.198 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734485731; cv=none; b=j+anFy/I4bN9fiC6TVuLGI1+mBzzbn19pQwSwO4u9317dF57dhoJJ48N6YxGB8ttGbrdGltUEI4SkTj1PuGWhsdz+IQRCl7WrcHq0LMIVgQY/4RPKClG/OZsZUTrSRzdNSyG0pjBTwMm7hoSLQaNVyBM59ZiTNEKrbihS454BzE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734485731; c=relaxed/simple; bh=1DMp0LxH8OPcM/yRLM33FgePgAmQ1oxDz/fzxTUFT9Y=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To: Content-Type; b=IkQJTZgeVi+m55bVYW2Nc9y+cQHrFuDAGAdIARE+Pjgz4uNXWnLR0jldIo5WcumM9vu2c6w1pk39JQiJduMA0cgqsg8tFj9YecQJVNh3In/kWcmjESFLhlVSVlnVo2Dk+Qdxy9aZbSJSiEBE2O94pqgfNtj9VXIiUUMsYUV0Gfc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.166.198 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-il1-f198.google.com with SMTP id e9e14a558f8ab-3a9c9b37244so121928815ab.1 for ; Tue, 17 Dec 2024 17:35:30 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1734485729; x=1735090529; h=to:from:subject:message-id:in-reply-to:date:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=y5Ncr5IZcFbCYV/e70qstiE9xNYV1BpIVqC1oHcbG8g=; b=LBvlEgFmFNzSQYgb76v+GwTXgEI6QuQWDzCuHBHCD8MkVRq89yMjvP81u1wZHn6Brl 6tRbhe0svB2HJuOznEYIxIsU/+pWEPtyBTCbYGZlm2DlILQayJjLGWremGhNvq44MA8N CQTQ4n5jHRUcfZnEnh4qjGGEBBVpRrjFiw8ZPhGxKOjvWC9QZbsjkm2TzCOjXNE6fKYj 0seihbrB61lS55HzWeOv3aZu56O8topxef61WaoN+ouUXaPZidNwO1OreqjMSavrf7Hn BmtIdu2s8BCUUeEyEktEVinEHUfZUgZpv+gI8mIFGbXfrr3LDSK1SxGsLoYrwil5LApz l+vQ== X-Gm-Message-State: AOJu0Yz/VekE1yJELHRO1SKkURShJIxr9MlakhTT1gnugmjJTYnVzCA7 UxiwUfws51TAe4uUykitod7FdkwyQJNdcY7dP+ylhl2f2BDwuZP/ya2tOJffllX4psA3LxWtd5r syrUUiNf+0Gfzs3me/YBfJ9B/5Z7Ojx6xMoYtQMmaqv2uSl3GG/cHCWc= X-Google-Smtp-Source: AGHT+IG+R6lItz7SX4111o4AMtQUkuBArIDsqk77RFSJsskOojSgT2dljBqFRvMHfbbiPIv6eJr/7pLdGsnCnK0duUvAH1YuzVqf Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a05:6e02:184a:b0:3a7:e83c:2d08 with SMTP id e9e14a558f8ab-3bdc4f182c3mr10385075ab.22.1734485729538; Tue, 17 Dec 2024 17:35:29 -0800 (PST) Date: Tue, 17 Dec 2024 17:35:29 -0800 In-Reply-To: <6731d26f.050a0220.1fb99c.014b.GAE@google.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <676226e1.050a0220.29fcd0.0082.GAE@google.com> Subject: Re: [syzbot] [PATCH v2] ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv From: syzbot To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH v2] ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv Author: dennis.lamerice@gmail.com When mounting ocfs2 and then remounting it as read-only, a slab-use-after-free occurs after the user uses a syscall to quota_getnextquota. Specifically, sb_dqinfo(sb, type)->dqi_priv is the dangling pointer. During the remounting process, the pointer dqi_priv is freed but is never set as null leaving it to to be accessed. Additionally, the read-only option for remounting sets the DQUOT_SUSPENDED flag instead of setting the DQUOT_USAGE_ENABLED flags. Moreover, later in the process of getting the next quota, the function ocfs2_get_next_id is called and only checks the quota usage flags and not the quota suspended flags. To fix this, I set dqi_priv to null when it is freed after remounting with read-only and put a check for DQUOT_SUSPENDED in ocfs2_get_next_id. Signed-off-by: Dennis Lam Reported-by: syzbot+d173bf8a5a7faeede34c@syzkaller.appspotmail.com Tested-by: syzbot+d173bf8a5a7faeede34c@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/6731d26f.050a0220.1fb99c.014b.GAE@google.com/T/ --- Changes in v2: - replaced dquot suspended check with !sb_has_quota_active instead - link to v1: https://lore.kernel.org/lkml/20241215035828.106936-2-dennis.lamerice@gmail.com/ #syz test fs/ocfs2/quota_global.c | 2 +- fs/ocfs2/quota_local.c | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/ocfs2/quota_global.c b/fs/ocfs2/quota_global.c index 2b0daced98eb..096b799d60a0 100644 --- a/fs/ocfs2/quota_global.c +++ b/fs/ocfs2/quota_global.c @@ -893,7 +893,7 @@ static int ocfs2_get_next_id(struct super_block *sb, struct kqid *qid) int status = 0; trace_ocfs2_get_next_id(from_kqid(&init_user_ns, *qid), type); - if (!sb_has_quota_loaded(sb, type)) { + if (!sb_has_quota_active(sb, type)){ status = -ESRCH; goto out; } diff --git a/fs/ocfs2/quota_local.c b/fs/ocfs2/quota_local.c index 73d3367c533b..2956d888c131 100644 --- a/fs/ocfs2/quota_local.c +++ b/fs/ocfs2/quota_local.c @@ -867,6 +867,7 @@ static int ocfs2_local_free_info(struct super_block *sb, int type) brelse(oinfo->dqi_libh); brelse(oinfo->dqi_lqi_bh); kfree(oinfo); + info->dqi_priv = NULL; return status; } -- 2.47.0